Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/containers/buildah: CVE-2021-3602 #345

Closed
GoVulnBot opened this issue Mar 3, 2022 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/containers/buildah: CVE-2021-3602 #345

GoVulnBot opened this issue Mar 3, 2022 · 1 comment
Assignees
@neild
Labels
cve-year-2021 NeedsReport

Comments

@GoVulnBot
Copy link

In CVE-2021-3602, the reference URL github.com/containers/buildah (and possibly others) refers to something in Go.

module: github.com/containers/buildah
package: buildah
description: |
    An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).
cves:
  - CVE-2021-3602
links:
    commit: https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0
    context:
      - https://bugzilla.redhat.com/show_bug.cgi?id=1969264
      - https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj
      - https://ubuntu.com/security/CVE-2021-3602

See doc/triage.md for instructions on how to triage this report.
@neild neild assigned neild and unassigned rolandshoemaker Jul 13, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/417454 mentions this issue: x/vulndb: add reports/GO-2022-0345.yaml for CVE-2021-3602

@GoVulnBot GoVulnBot mentioned this issue Jan 11, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Mar 19, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Oct 9, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Jan 21, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
cve-year-2021 NeedsReport
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@neild @rolandshoemaker @julieqiu @gopherbot @GoVulnBot